Web Application Defence. Architecture Paper

Transcription

1 Web Application Defence Architecture Paper June 2014

2 Glossary BGP Botnet DDoS DMZ DoS HTTP HTTPS IDS IP IPS LOIC NFV NGFW SDN SQL SSL TCP TLS UTM WAF XSS Border Gateway Protocol A group of compromised hosts collectively used for malicious purposes, such as spam or DDoS Distributed Denial of Service De-Militarised Zone Denial of Service HyperText Transfer Protocol HTTP secured with SSL or TLS Intrusion Detection System Internet Protocol Intrusion Prevention System Low Orbit ION Cannon Network Function Virtualisation Next Generation Firewall Software Defined Networking Standard Query Language Secure Sockets Layer Transmission Control Protocol Transport Layer Security Unified Threat Management Web Application Proxy Cross Site Scripting Web Application Defence Page 1 June 2014

3 CONTENTS 1. Introduction About FarrPoint The Web Application Threat Landscape DoS Application Layer Attacks Traditional Defences DDoS Application Attacks Modernising Perimeter Defence Layered Defence Volumetric Attack Mitigation NGFW/UTM DDoS Mitigation WAF Great: More Appliances to Manage Other Considerations Monitoring and Response Secure Coding Practices IPv Soft Controls Virtualisation and Consolidation Cloud Services Summary Contact Information Copyright 2014 FarrPoint Ltd. All rights reserved. Web Application Defence Page 2 June 2014

4 1. Introduction This FarrPoint Architecture Paper is your guide to effectively defending critical web applications in the modern threat landscape. In it, we discuss the current threats to web applications, traditional defences, and some of FarrPoint s thinking on the provision of layered network defences to secure your critical apps. 1.1 About FarrPoint FarrPoint was founded in 2007 as an independent IT and telecoms consultancy and right from the start we believed that we had some key differentiators in our favour. We believe that to truly advise on technology, you have to be able to truly understand it. All of our founders come from engineering backgrounds, which gives us the ability to fully engage with your technical needs. We also pride ourselves on being smart, nimble and flexible in the way we work, whilst always striving to provide the best client satisfaction possible our success flows from client happiness. FarrPoint is based in Scotland with no boundaries to project location. Web Application Defence Page 3 June 2014

5 2. The Web Application Threat Landscape Web applications are the life-blood of many businesses as their main way of interacting with customers, suppliers, and partners. Down time on a web application can have a catastrophic impact on an organisation s ability to operate, so the defence of these assets is a key requirement for any security team. 2.1 DoS A denial of service, or DoS attack occurs when a target is bombarded with more requests than the infrastructure can handle, or when a system is otherwise taken offline by exploiting other flaws. When a DoS attack is distributed (DDoS), many attacking systems, usually under the control of a single criminal or organisation, are used to overwhelm the target system. What makes denial of service attacks dangerous is their similarity to genuine user requests. It is often difficult to differentiate between genuine traffic and attack traffic whilst under DoS attacks. The simplicity and wide availability of DoS attack tools, such as Anonymous Low Orbit ION Cannon (LOIC), make DoS attacks a cheap and effective tool for extorting money from businesses around the world Volumetric Attacks Volumetric attacks rely on sheer volume of data to overwhelm a target system, and are generally simple to detect, although not particularly easy to mitigate Low and Slow Attacks Low and slow attacks rely on the exploitation of a flaw in the target systems hardware or software to trigger a DoS condition, such as crashing web server software or the target system s network stack. Low and slow attacks can be difficult to detect and are usually small enough in volume to bypass controls intended to prevent volumetric attacks. Web Application Defence Page 4 June 2014

6 2.1.3 Amplification Attacks The use of vulnerable Internet based systems to amplify a small volume of attack traffic into massive volumetric attacks is called an amplification attack. An example of this is the recent use of Internet NTP servers to reflect and amplify attack traffic by spoofing address information, triggering a massive volume of return traffic to the victim DDoS as Diversion One of the dangers of a DDoS attack is that it consumes both time and resources. Hard-pressed security teams can be swamped with the effort of getting critical business systems back online during a DDoS attack, meaning that more subtle intrusions can go unnoticed. 2.2 Application Layer Attacks SQL Injection Most web applications rely on a database at the back end, and the overwhelming majority use some form of SQL based database. An attacker can try to trick the web application into sending custom SQL queries, which can then reveal sensitive data held within the web application, such as usernames and passwords Cross-Site Scripting (XSS) Web Application Defence Page 5 June 2014

7 The most prevalent technique for exploiting web applications is currently cross-site scripting or XSS. In a XSS attack, the attacker exploits poor input validation within the web application to inject malicious code, which is then exposed to other users. This can be an extremely effective way of compromising sensitive web apps, and is trivial to exploit Buffer Overrun Attacks Software often stores data provided by the user in variables, which are stored in memory on the server. An attacker can exploit poor coding practices by deliberately entering more data than is supported by a given variable, sometimes giving access to sensitive areas of the system s memory, executing arbitrary code, or simply triggering an application or service crash Exploiting Coding Flaws Poor coding techniques, such as failing to check the validity of data entered by a user, or the validity of data returned by the application can allow an attacker to gain unauthorised access to sensitive data, or allow them to take control of the target system. Secure coding practice is outwith the scope of this paper Infrastructure Attacks Attackers can also attempt to attack the application s supporting infrastructure such as the web server, operating system, or network layer of the system s technology stack. Web Application Defence Page 6 June 2014

8 3. Traditional Defences Many of the DDoS and application layer attacks described in this paper have been around for long enough that traditional defence patterns have emerged to try and counter them. 3.1 DDoS Throwing Bandwidth at the Problem Often, the initial response to a volumetric DDoS attack is to solve the problem by increasing the inbound bandwidth available to the target system. This is often done in co-operation with the target s ISP, and has the advantage that the service can be kept running without dropping any traffic, since the bottleneck in many Internet connected systems is the connection to the Internet itself. Unfortunately, current attack tools, and the use of amplification attacks, mean that simply increasing the available bandwidth buys time at best. The attacker can simply up the volume of attack traffic Migrating Services Another option often used in the early days of DDoS attacks was the migration of services onto new IP addresses. Again, this was often carried out in conjunction with service providers and required a DNS record change for the relevant service, re-pointing them at the new addresses. These days, this technique is almost useless, as attack traffic simply moves with the service Cloud Based Scrubbing Services One very effective technique against volumetric attacks is to re-route traffic to a service through a cloud based scrubbing centre. The scrubbing centre is usually a large scale data centre with exceptionally high volumes of Internet bandwidth that can absorb the DDoS attack, filter out attack traffic, and forward on genuine traffic. The move by attackers towards the low and slow approach was primarily down to the increased use of scrubbing services. Web Application Defence Page 7 June 2014

9 3.2 Application Attacks IDS/IPS Intrusion detection and intrusion prevention systems use signatures and deep packet inspection to analyse traffic passing through the network. Signatures detect known attack patterns, which can be alerted upon or blocked, depending on how the system has been deployed and configured Firewalls Traditional firewalls prevent direct access to sensitive management interfaces and can perform rudimentary inspection of traffic to try and prevent exotic attacks, but are fundamentally stymied by the requirement to allow HTTP and HTTPS traffic through to the web application. Web Application Defence Page 8 June 2014

10 4. Modernising Perimeter Defence Traditional perimeter defences rely on out-dated assumptions of how network based attacks work. As a result, they are losing relevance, and although still important as part of an overall network security architecture, their value is decreasing as time goes on. Here, we ll show you how you can bolster your perimeter defences using next generation technologies. 4.1 Layered Defence It is very important not to rely on a single defence mechanism for a given threat, particularly when you are defending a key asset. Your perimeter defences should consist of multiple layers, with multiple ways to defend against threats. Source: FarrPoint Web Application Defence Page 9 June 2014

11 A sample architecture is shown above. In this design, traffic passing to a web application must transit multiple layers before connecting to the servers themselves, as described below. 4.2 Volumetric Attack Mitigation If volumetric DDoS attacks are a concern, you should consider the use of a cloud based DDoS mitigation service that can help your services to remain available in the event of a volumetric attack. These can work by passing all of your traffic through a scrubbing centre at all times, or, if the likelihood of an attack is relatively low, traffic can be manually re-directed to a scrubbing centre via BGP once an attack begins. 4.3 NGFW/UTM At the network edge a next generation firewall, or unified threat management gateway, is used to police traffic entering the network, and will block reconnaissance and network layer attacks before they enter the DMZ. 4.4 DDoS Mitigation Low and slow attacks are an effective way for criminals to disrupt services protected by traditional DDoS mitigation services. It is therefore critical to maintain service availability through the use of on-site DDoS mitigation appliances. These can significantly improve a network s resilience to low and slow attacks. 4.5 WAF Web application firewalls are specifically designed to combat attempts to compromise web applications using attacks such as the OWASP Top 10. These attacks occur at the application layer, and can be tailored for the specific web application they are targeted against. A WAF can be configured to understand the core logic of the web application it s defending, compensating for poor coding practices and other application specific vulnerabilities. 4.6 Great: More Appliances to Manage Of course, one downside to a layered defence model is a proliferation of appliances and management consoles. When deploying this kind of architecture at scale, this Web Application Defence Page 10 June 2014

12 can make the network infrastructure an unacceptable cost burden. Happily, many vendors have solutions that can be integrated with existing appliances. This means that you may have platforms already in place that can be upgraded to provide some of the security services to defend core web applications. Web Application Defence Page 11 June 2014

13 5. Other Considerations This white paper has tried to remain focussed on the network security architecture required to properly defend web applications, but there are many other things to consider. 5.1 Monitoring and Response When deploying security appliances, it is vital that they are configured to log security events to a common repository, and that those events are monitored and acted upon. In large scale deployments, the volume of data emerging from the security estate can be enormous, quickly swamping security teams. Correlation and automated response technologies can help with this. 5.2 Secure Coding Practices Technologies such as WAFs are sticking plasters for coding errors in web applications they will never catch every possible threat. You can improve your web application s security posture further by implementing and enforcing secure coding practices to minimise the attack surface of your applications. 5.3 IPv6 As we continue to exhaust the available IPv4 address pool, more and more services will migrate to IPv6. During the migration period, many services will become dualstacked to maintain connectivity to both the IPv6 and legacy Internets. You should be aware that this doubles the attack surface of your network infrastructure. Understand the risks, and put controls in place to mitigate them. 5.4 Soft Controls This is the bit the vendors don t like, but is also one of the most effective security techniques available. Technical controls will only get you so far, and the weakest link remains your human employees. Put in place robust and achievable processes and procedures to enhance security, particularly around incident response. 5.5 Virtualisation and Consolidation Web Application Defence Page 12 June 2014

14 Most modern data centres are heavily virtualised meaning that the network infrastructure becomes ever more complex, as server instances continue to collapse into fewer physical hosts. Security mechanisms need to be built into the virtualisation layer and segmentation maintained without compromising the benefits of virtualisation. It is also important to consider how you can benefit from the virtualisation and consolidation of the network infrastructure itself. 5.6 Cloud Services Many web apps are now hosted in the cloud, and many cloud providers offer only limited customisation options with regard to perimeter defences, often only providing access to rudimentary stateless firewall services. You should carefully consider how to address this gap, potentially using load balancers and WAFs hosted in your own data centres as reverse proxies to ensure application traffic is inspected before being passed to cloud instances. Web Application Defence Page 13 June 2014

15 6. Summary Web application defence requires a multi-layer approach to adequately defend critical services. In particular, effective DDoS mitigation requires a combination of volumetric and application layer protection through the use of a combination of cloud-based and local services. The requirement for layered security doesn t have to mean the deployment of numerous physical appliances; we can use techniques such as network function virtualisation to consolidate security solutions into existing infrastructure components. Finally, it is important not to neglect softer controls such as an effective secure software development lifecycle for the development of web applications. 6.1 Contact Information If you would like further information on this topic, or any other aspect of cybersecurity, you can contact the author on +44 (0) or via neil.anderson@farrpoint.com. Web Application Defence Page 14 June 2014